Are Biometrics The Future For The NHS?

Biometric Technology in the NHS

After the huge launch at the Apple Event last night, everyone is talking about the leap in biometric technology to drop the fingerprint scanner in favour of facial recognition.

Biometrics are physiological reference points that are unique to every individual. The most commonly used are fingerprint and iris scanners, or facial recognition infrared technology.

It made us think here at Isosec, that fingerprint scanners are commonplace in all industries: Timekeeping sign-in systems are often fingerprint scanners, they’re used in HR and payroll and even some schools to take out library books; biometrics are widely accepted everywhere except the NHS.

As mounting economic and political pressure on the NHS forces IT leaders to adopt new technology to be more resourceful, one of the biggest worries is cybersecurity and the ways digital records can best be protected. Some Trust’s already use biometrics for restricted access areas and equipment. Could using biometrics to authenticate clinical staff be a sensible adoption for the NHS?

NHS Biometrics Iris Scan

What are the Advantages of Using Biometric Technology in the NHS?

  • Time Savings – In the NHS time is critical and by not having to waste time entering passcodes every time you authenticate, or having to reset your details with the registration authority more time can be spent on patient care.
  • Cost Savings – There would be no need for specialist printers or materials to print smartcards on, and no more buying smartcard readers. Smartphone’s are in everyone’s pockets and software could be set-up where code is shared with your personal device from the workstation and you authenticate using your biometrics on there.
  • Less Errors – Biometric data doesn’t change, so there’s less chance of duplicated records when you change your surname, or locked accounts when you forget or mistype your passcode.
  • Improve Security – Reduce reliance on secondary info like passcodes and high risk methods like smartcards that can both be shared or misplaced.
  • More Audits and Data – With new technology data is captured in real-time and can be easily shared and compiled to reveal new key learnings for an organisation which could be very beneficial to improving care in the NHS. Biometrics are unequivocal, providing clear audit trails for which users have done which tasks without wondering if a smartcard has been borrowed or passcode shared.
  • Integrated Care Pathways – If the NHS as a whole were to adopt biometrics as a patient identifier, for example, then those patients who are geographically shared by Trusts or have more complex healthcare in a range of settings could share their information more easily. With a biometric-accessed record a patient could take their health record with them wherever they go, be it social care, community care, or acute. They can also give consent to share their information in real-time, rather than waiting for paperwork to be processed.

Are Biometrics the Future of Cybersecurity in the NHS?

Whether the whole NHS will opt to use biometric data alone like Apple have done is hard to tell, the technology needs more thorough user testing first. Current NHS security standards demand dual authentication (e.g. a biometric plus a passcode) for an added layer of security, but as technology marches forward perhaps we will see a change in the UK’s digital healthcare technology, especially with the advantages stacking up. There is certainly no reason for Trust’s to wait to investigate their options, the technology is already here and waiting to be used to it’s full potential.

If you would like to talk to us more about our smart authentication products for the NHS please visit our website where you will find brochures and videos on our iO Virtual Smartcard.

5 Unsafe Workaround Tactics With The NHS Smartcard

Isosec and the NHS Smartcard

Okay, firstly there will be no naming and shaming here, so if you were hoping to see organisations with poorer processes than yours, shame on you. Cybersecurity is no joke, especially when it comes to the NHS smartcard and protecting patient data.

What we are going to share are five very real examples of unsafe working practices involving NHS Smartcards.

We’ve been working with the NHS for fifteen years now and originated from an IT security background around smartcards and secure authentication. We have over 40,000 iO users (our smartcard identity agent) and as a result have seen thousands of local use-cases for the NHS smartcard, some hugely successful… some not so much.

If you’ve somehow wandered here by accident and aren’t sure what we’re talking about, NHS smartcards are similar to chip and pin cards that allow our healthcare professionals here in the UK to access the patient information that’s relevant to their role.

Here’s five ways we’ve seen organisations abuse the power of the NHS smartcard.


 5 Unsafe Workaround Tactics With The NHS Smartcard

  1. Passcode strength – Pretty obvious one to start with, but setting a secure passcode really is important! We’ve had people volunteer that their passcode is ‘passcode’,‘1234’, even ‘doctor’. It may be quicker to type 1234 in a hurry, but it belittles the whole authentication process if you fail to keep your personal security standards high.
  2. Card sharing – Again, it might seem easy enough to pass your card onto a colleague when they’re in a hurry, but it’s hard to criticise cybersecurity standards of an organisation if individuals don’t adhere to explicit security processes.
  3. Leaving a cut card in a reader – Possibly the worst offender on this list, but sadly we have seen it in action! The explanation we were given was that Information Governance colleagues would regularly walk around and check on how things were running. In order to avoid detection of card sharing whilst still having quick shortcut access, one card was left in a reader and then cut off, so IG couldn’t see the card in the reader or even know that the behaviour was going on.
  4. Robot smartcards – By having a machine with a smartcard permanently in a reader which automatically logs in with a fixed passcode poses an IG risk and most trusts are completely oblivious to this. Our analytics dashboard highlights this behaviour straight away so it’s not something we see with iO.
  5. Single sign on passcode manager software – By using software to remember your passcode and have it key them in for you, you’re no longer using two-factor authentication, you take the security level down to just one factor, which doesn’t adhere to NHS security standards and doesn’t stop someone else jumping on your card should they pick it up.


What Can You Do About It?

Some people don’t think NHS smartcards are the best and from the list above it’s clear to see that there is some education around the issue of cybersecurity to be done generally. It’s a strong case for how sometimes poorly managed technology can hinder users rather than benefit them, but sadly there are often unsafe workaround tactics like these that harbour high risk behaviour.

However, we think when smartcards are used properly they do the job for the NHS and we’ve even developed ways to maximise the security and efficiency with them.

From our experience with IT departments in the NHS we listened to these extensive issues some Trusts have with the smartcard. From there we expanded our iO identity agent capability and iO Virtual Smartcard was created. There are a wealth of benefits to using our Virtual Smartcard product, but most importantly we built it to maximise the security around authentication whilst still addressing the user issues we have witnessed along the way.

By creating an innovative technology that meets both the practicality of everyday working practices as well as high-level security standards we hope to further the efficiency of the NHS whilst still maintaining the necessary safeguarding of patient data in the modern world.

NHS smartcard cybersecurity image of padlocks and code

To find out more about how to avoid these high risk behaviours in your organisation you can download our Virtual Smartcard brochure or watch our explainer video on our website.

How Digital Technology Improves Staff Satisfaction in the NHS

The staff are what keeps the NHS on its feet. They are the ones who ensure everything runs as it should, despite cuts to funding for services, despite having more complex health needs to treat, despite waiting on that long overdue pay rise. The NHS staff are the heroes of our healthcare system, they stay late after their long shifts, kindly talk patients through any concerns and are somehow able to stay calm while their establishment crumbles around them in an uncertain political and economic climate. As a result of this, staff satisfaction in the NHS is critically low.

In midwifery especially, for example, there is a huge concern over staff retention in the field, as is the case across several NHS disciplines. In the RCM’s 2016 Report ‘Why Midwives Leave’ it states that there is a current shortage of 3,500 midwives with an increase of around 100,000 births since 2002. A band six midwife has even seen pay decrease of £4000!

The same report and comprehensive survey states that the overarching reason for midwives leaving was due to staffing, workload and not enough time to spend with women to deliver the high quality care they needed.

What if there were ways that Trust’s could support their staff to deliver this higher quality care? By minimising unproductive tasks like unnecessary admin and travel, staff can spend time on what’s important and increase the time they spend doing what they trained to do – to help deliver care.

With our mobile digital solution MIA, we are increasingly finding that staff satisfaction is one of our top benefits.

Maternity iPad NHS

At one Trust last year, after a forward-thinking Lead Midwife and her community team saw the value of implementing efficient technology, and their Bradford score improved by 74%. Implementing MIA Maternity was not the only thing the team did, of course, they also improved Wi-Fi availability in their community hubs and introduced mobile workstations. But with a mobile solution like MIA, that works online or offline to complete clinical notes they are saving on average of 5 hours a week, per midwife; and the tasks they are cutting back on are the ones that make them unhappy at work!

This comes from not having to travel back to base at the end of the day to re-key paper notes into the Trust’s EPR, because MIA synchronises them transparently. It comes from not misplacing files or valuable forms because they’re digitised and accessible on a tablet device from anywhere, improving team information sharing. It means that midwives can now get home on time at the end of their shift, where before they had to fight over too few workstations back at base to type their notes up.

Very few, if any, NHS clinical staff do what they do because they want to spend time on admin, paperwork and getting stuck in traffic. These unnecessary tasks are stressful and stressed-out staff do not deliver the best care possible because they are worried about other things. By introducing smart technology like MIA a Trust is investing in its staff, giving them the best tools in order for them to deliver the best care.

It’s not just maternity that MIA can help with, any clinical paper process in the NHS can benefit from an agile development approach into a streamlined digitised solution. Check out our website to read about our other solutions, download brochures and find our more about improving staff satisfaction in the NHS. Any questions? Why not tweet us @isosec.

The WannaCry ransomware and how it (doesn’t) affect us

There’s been a great deal in the news over the past few days about the already infamous “WannaCry” (AKA “WannaCrypt”, “WanaCrypt0r”, “Wanna Decryptor” etc.) malware that’s spread like wildfire across the world, most notably infecting numerous NHS trusts. You may not already know that Isosec was built from a security background, we have cybersecurity expertise spanning 50 years. With this in mind we thought we’d let you know just what on earth is going on, how it might affect you, and how it, thankfully, doesn’t affect Isosec (despite the similarities in the name of other companies involved!).

What is it?

First and foremost we go onto the question that’s on most people’s minds; just what exactly is this thing? Well, “WannaCrypt” is a type of malware (malicious software) known as “ransomware”, which is software that will encrypt all of your most important files and folders, and then quite literally hold them ransom, asking you to make a payment in order to decrypt them for use (which more often than not is the worst possible thing you can do).

Now that the technical jargon is out of the way, a practical example. You receive an email with an attachment, you open this attachment and it runs a program on your computer, this program locks away all of your files with a password you don’t know, and then demands a sum of money in return for that password. Sound bad? It is! Ransomware has been around for many years in various forms, but what’s getting worse is not so much the programs themselves, but the way in which they spread.

In the case of “WannaCry”, the evidence thus far suggests that it’s capable of spreading across the entirety of a local network with ease, infecting every other computer on the network that isn’t up to date enough to protect against the vulnerability. Now if the “not up to date” part of that spiked your interest, that’s for good reason…

Staying safe

Whilst the usual security principles come into play here – always run an active anti-virus and keep a malware scanner to hand, don’t open unknown attachments, stay away from unfamiliar websites etc. – there is one that rises above all others in terms of importance; keep your computer up to date. The vulnerability in Microsoft’s Windows product that allowed the “WannaCry” attack to take place was fixed back in March of this year, meaning that the average computer was already safe by the time the attack began. But if you don’t regularly update – and don’t have automatic updates switched on – then you were, and possibly still are, at risk.

How this (doesn’t) affect Isosec

Due to the nature of Ransomware, attacks such as these are unlikely to affect us as a company. Our internal security policies keep us out of harms reach, and the fact we ship software rather than hardware means we’re not in the crosshairs of these sorts of attacks. But that doesn’t mean we can wash our hands of any responsibility, instead, it’s important to look at how we can help you to prevent these problems from happening.

Let’s use MIA Maternity as an example. MIA Maternity is completely offline-capable, and while that’s important for midwives who use our software in areas of limited or no connectivity, it’s even more important when a large scale cyber attack such as this one occurs.

This is because even though the Trust owned servers that hold the all important patient data might be compromised, the mobile devices remain functional, with a recent copy of all the patient data required to work. Midwives can continue to work without issue, and patient care isn’t compromised. Better yet, there’s no need to revert to older paper-based backups, midwives can continue to enter data into MIA Maternity, and it will be sent back to the server once the issue has been resolved by the Trust.


Here at Isosec we take security very seriously. It’s baked into how we make software, and is something on the minds of everyone here constantly.

Google Cloud Next London 2017

Introducing Google Cloud Next London 2017

Last week I was lucky enough to be able to attend Google Cloud’s annual “Next” event hosted in London’s fantastic ExCel exhibition centre. Peeling myself away from all of the exciting work going on around our newly announced Virtual Smartcard solution was difficult, but for a developer and technology enthusiast such as myself the event made for an exciting opportunity, and I couldn’t wait to see what Google’s Cloud Platform (GCP) had in store for a forward-thinking tech company like Isosec.

Banner for Google Cloud Next London

First and foremost however, a little background. GCP is well known amongst both Google and cloud enthusiasts alike, and has been around for a little over half a decade, with some of its individual components long predating that. It comprises some well-known cloud-based technologies such as BigQuery and App-Engine, some consumer grade facilities like Google Docs and Drive, and far more that even I – a self-confessed Google addict and cloud enthusiast – had never heard of.

Why were they doing this?

But Google have – in my opinion – been having a bit of a problem with their cloud efforts, and it comes in the form of the other well-known cloud platform currently on the market. See despite how well Microsoft’s Azure is currently regarded, and how much they’re incentivizing it financially, there simply isn’t anyone as well known in the industry as Amazon with their infamous AWS. You’ll hear about it all over the web, see it on the news, encounter it daily – even if you don’t realise it – on a tremendous amount of your favourite websites, and even run into it on popular TV shows like Mr Robot and Silicon Valley. It’s everywhere you look when it comes to the cloud, and that’s exactly what Google are trying to change.

GIF of Silicon Valley scene featuring Amazon AWS reference

AWS have frequently features in tech TV shows like HBO’s Silicon Valley

Cue Google Cloud’s Next event, where Google’s enormous marketing budget meets its tremendous technology advancements to provide something truly special. Over the course of two days – three if you took part in any of their paid bootcamps – this free event offered over 50 “breakout sessions” where the experts behind the tech demonstrated their offerings to small-ish groups ranging from tens to hundreds, or in the case of the keynotes, thousands. Of course, when you weren’t in one of the many dedicated rooms, a typically Google experience meant there were VR demonstrations, partners such as Intel, Accenture and plenty of others showcasing their various products, and the kind of free gourmet food and drink on offer that made you forget you weren’t spending the day in the company’s famed Googleplex.

Setting all the fanfare aside however, let’s get down to what’s important…

The technology

Whilst the GCP has been around for several years, its pace of innovation and change meant that almost everything felt brand new, or at least heavily polished. There was a big focus on their various levels of cloud technology, from the simplistically designed Cloud Functions to the more complex Compute and App Engines, and a huge push for their Spanner database technology and the overall architecture of their platform. This was truly an opportunity for Google to say “Here’s what we’ve done, and here’s why it’s better”, and they certainly didn’t disappoint.

Photo of main stage at Google Cloud Next London 2017

“Go big or go home” is definitely a motto at Google

Helping them get the message across were several high profile partners, some of whom featured in some of the various breakout sessions held throughout the event. Lush’s head of technology Ryan Kerry gave a fantastic talk about their migration to GCP and how they achieved it just in time for the Christmas rush, and VFX giants MPC did an incredible demonstration of their use of GCP to aid in the creation of some of Jungle Book’s awards winning animated sequences. Google did also reference Niantic, who had a famously poor launch from a technology perspective, but then I think you’d struggle to pin the blame for that on Google or the GCP.

GIF showing pre and post-animated scenes in the Jungle Book movie

MPC made use of GCP’s offerings when animating Disney’s Jungle Book

APIs are still king

What I found arguably most impressive however was not the flashy products or the big-name partners, but the APIs. Though already well known for its production and maintenance of APIs – when was the last time you used a website that didn’t have a Google Map embedded, or the option to translate its contents to a foreign language using Google Translate – Google are now looking to make the most of machine learning, artificial intelligence and the power of its infrastructure to conquer new areas. Particularly impressive were its demonstrations of its Data Loss Prevention API for understanding and automatically redacting sensitive information, Image Processing API for recognising the objects, facial expressions, locations and much more of both photos and videos, and their natural language API, which made the bane of most feedback forms – open ended questions – a cinch to analyse.

Photo of the Eiffel Tower in Las Vegas

If you thought this was a photo of Paris’ Eiffel Tower, then I’m afraid Google’s Image Processing API is smarter than you (it’s actually the one in Las Vegas)

Google being Google

Of course, it wouldn’t be a Google event if there weren’t some fun aspects, and whilst there were no slides or multi-coloured bicycles to help you get around, there were still a few elements of Google shining brightly through. The “Quick, Draw!” stand drew crowds of people – who evidently didn’t realise they could play online any time – and the Kubernetes “Whack-a-node” game gave a really fun take on high availability and service rebuild times, something I think most companies would struggle to do. Collaborative white boarding application Jamboard also got plenty of attention, and so too did Google’s Daydream VR headset, which had an unsurprising queue of people for the entirety of the event.

Output of Google's photo recognition API

The facial recognition API isn’t quite there yet, but it’s getting close!

Photo of attendees playing Google's "Quick, Draw!" game

Google’s “Quick, Draw!” stand garnered a lot of interest

All in all it was a fantastic event. Google put on one hell of a show, and struck a near-perfect balance between technical demonstrations and higher level overviews. They even managed to do the entire thing without it seeming like too much of an advertisement – which of course, it was – and that alone is a fairly impressive achievement. For a Google fan such as myself, it was a privilege to be able to attend, and the new technologies and concepts I was exposed to will be featuring in Isosec products very soon.